[Gta04-owner] There's not only Linux out there
glenn.mh.dk at gmail.com
Fri Oct 21 20:13:48 CEST 2011
On 21/10/11 00.17, Martin Christian wrote:
> It's not that I don't like Linux. It's a great desktop OS. But I think
> mobile devices require something more secure.
> Gta04-owner mailing list
> Gta04-owner at goldelico.com
I fully agree - see:
O(1) time efficiency for most operations
Linux-VServer can be used with PaX:
Linux-VServer provides virtualization for GNU/Linux systems. This is
accomplished by kernel level isolation. It allows to run multiple
virtual units at once. Those units are sufficiently isolated to
guarantee the required security, but utilize available resources
efficiently, as they run on the same kernel.
PaX offers executable space protection, using (or emulating in operating
system software) the functionality of an NX bit (i.e., built-in CPU/MMU
support for memory contents execution privilege tagging). It also
provides address space layout randomization to defeat ret2libc attacks
and all other attacks relying on known structure of a program's virtual
May 17th, 2007 Linux Virtualization = Linux-VServer:
Linux Vserver, on the other hand is only useful for having multiple
Linux-based servers that have the same kernel. This is much more
efficient, because each host server doesn't have the extra overhead of
an entire kernel. But it does have some limitations. You obviously can't
run a Windows server under a Linux Vserver host. The versions I've
worked on also have some limitations with iptables and quotas (Although
some of these may be fixed in recent versions).
On the plus side, for Linux-Vserver, I've heard that the One Laptop Per
Child (OLPC) project is using it as part of their security model. They
are using it so that each application runs in its own virtual server and
can't disrupt other applications.
2007-11-06 Interview: Linux-VServer Project Leader Herbert Pötzl:
Bertl: Linux-VServer is an isolation technique in concept very similar
to BSD Jails or Solaris Containers, which allows multiple Linux
environments to run on a single kernel side by side, with no measurable
The idea was quite simple, but the implementation took a long time to
get perfected. Today we not only have Unification, but also Copy on
Write (CoW) Link Breaking.
As far as I know, the following distributions have some kind of
Linux-VServer package/option available:
* ALT Linux, Arch Linux, Debian, Fedora, Gentoo, Knoppix, Mandriva, PLD
Linux, Rock Linux, Slackware, T2, and Ubuntu
Large Deployments are definitely PlanetLab and Lycos Europe, but I also
heard rumors about Cisco and other larger companies. As we do not
require any registration to use the software, there is no real way to
tell, and personally, I do not care that much about the numbers.
Bertl: Linux-VServer drastically increases security if used properly, so
yes, that is actually one of the main usage scenarios of Linux-VServer,
although most folks will consider hosting and server consolidation the
primary area of application.
Bertl: chroot(), contrary to common belief, is not a security mechanism
per se, it just changes the view of a process.
Bertl: Yes, at least one person is actively using Xen and Linux-VServer
together, but I guess there are more out there, especially as Xen and
Linux-VServer go nicely side by side complementing each other, you won't
use a fork when you need a spoon and vice versa.
I've been "playing" with vserver for years (is it that long) now and
finally had the opportunity to deploy it in my datacenter earlier this
year when we consolidated our Athlon 2800 servers onto quad-core Opterons.
In addition to saving a ton of space. money and pain it made one
specific thing very easy... Cleaning up after a comprimise.
The systems we migrated were RHEL AS 2.1 systems (RHEL 5 was in beta)
and brought with them a TON of security holes. It wasn't too long
afterwards that we noticed one of the servers had been cracked.
Normally, you can't trust your own tools when that happens, but due to
the added layer of protection, I was able to easily use the host
system's tools to replace the rooted utilities to get my servers
Bitfrost: the One Laptop per Child Security Model:
To this end, we have designed and are implementing Bitfrost, a security
platform for the children's laptop that borrows from many recent
developments in the field of usable security (HCI-SEC). Freed from the
requirement to support legacy software, we believe that we have created
a system that may allow children to learn and experiment with advanced
technology without falling prey to those who would harm them or their
The laptop is based on an AMD Geode LX-700 processor running at 433 MHz.
It has a 7.5-inch screen that can operate in either a medium resolution
color or high resolution black and white mode, a wireless mesh network,
camera that supports video, a microphone, and three USB ports. There is
256 MB of RAM
We have seen many security systems fail or become unusable because of
their inability to address the identification and authentication of
manufacturers, publishers, and users.
Once the kernel boots, the P_SF_RUN runtime protection system takes
over. As mentioned above, this system is based on VServer, a lightweight
Linux virtualization system that has been widely used at shared hosting
Internet service providers
Squeak for the kids! Use Linux-vserver power before giving your Neo to a
kid (or someone else) Re: Idea for OpenMoko: Kid Mode:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gta04-owner